feat: Add ability to add/delete relationship for all actors (#3254)

## Relevant issue(s) Resolves #3255 ## Description - Can target all actors using `"*"` to add or delete acp relationships. - All explicitly added relationships are unaffected upon revocation using `"*"` (they will keep access). ### For Reviewers - Commit by commit review should be easier. - [x] todo: Pushing the crashing gql tests fix once #3267 is merged ## Tasks - [x] I made sure the code is well commented, particularly hard-to-understand areas. - [x] I made sure the repository-held documentation is changed accordingly. - [x] I made sure the pull request title adheres to the conventional commit style (the subset used in the project can be found in [tools/configs/chglog/config.yml](tools/configs/chglog/config.yml)). - [x] I made sure to discuss its limitations such as threats to validity, vulnerability to mistake and misuse, robustness to invalidation of assumptions, resource requirements, ... ## How has this been tested? - Integration tests Specify the platform(s) on which this was tested: - Manjaro WSL2
sourcenetwork · Nov 26, 2024 · c7b8b93 · c7b8b93
1 parent e2c657e
commit c7b8b93
Show file tree

Hide file tree

Showing 13 changed files with 1,278 additions and 73 deletions.
diff --git a/acp/README.md b/acp/README.md
@@ -631,6 +631,26 @@ Result:
 Error: document not found or not authorized to access
 ```
 
+Sometimes we might want to give a specific access (form a relationship) not just to one identity, but any identity.
+In that case we can specify "*" instead of specifying an explicit `actor`:
+```sh
+defradb client acp relationship add \
+--collection Users \
+--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+--relation reader \
+--actor "*" \
+--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+```
+
+Result:
+```json
+{
+  "ExistedAlready": false
+}
+```
+
+**Note: specifying `*` does not overwrite any previous formed relationships, they will remain as is **
+
 ### Revoking Access To Private Documents
 
 To revoke access to a document for an actor, we must delete the relationship between the
@@ -695,6 +715,26 @@ defradb client collection docIDs --identity 4d092126012ebaf56161716018a71630d994
 
 **Result is empty from the above command**
 
+We can also revoke the previously granted implicit relationship which gave all actors access using the "*" actor.
+Similarly we can just specify "*" to revoke all access given to actors implicitly through this relationship:
+```sh
+defradb client acp relationship delete \
+--collection Users \
+--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+--relation reader \
+--actor "*" \
+--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+```
+
+Result:
+```json
+{
+  "RecordFound": true
+}
+```
+
+**Note: Deleting with`*` does not remove any explicitly formed relationships, they will remain as they were **
+
 ## DAC Usage HTTP:
 
 ### Authentication

diff --git a/acp/acp_local.go b/acp/acp_local.go
@@ -254,9 +254,25 @@ func (l *ACPLocal) AddActorRelationship(
 
 	ctx = auth.InjectPrincipal(ctx, principal)
 
+	var newActorRelationship *types.Relationship
+	if targetActor == "*" {
+		newActorRelationship = types.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = types.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	setRelationshipRequest := types.SetRelationshipRequest{
 		PolicyId:     policyID,
-		Relationship: types.NewActorRelationship(resourceName, objectID, relation, targetActor),
+		Relationship: newActorRelationship,
 		CreationTime: creationTime,
 	}
 
@@ -285,9 +301,25 @@ func (l *ACPLocal) DeleteActorRelationship(
 
 	ctx = auth.InjectPrincipal(ctx, principal)
 
+	var newActorRelationship *types.Relationship
+	if targetActor == "*" {
+		newActorRelationship = types.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = types.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	deleteRelationshipRequest := types.DeleteRelationshipRequest{
 		PolicyId:     policyID,
-		Relationship: types.NewActorRelationship(resourceName, objectID, relation, targetActor),
+		Relationship: newActorRelationship,
 	}
 
 	deleteRelationshipResponse, err := l.engine.DeleteRelationship(ctx, &deleteRelationshipRequest)

diff --git a/acp/acp_source_hub.go b/acp/acp_source_hub.go
@@ -273,18 +273,28 @@ func (a *acpSourceHub) AddActorRelationship(
 	creationTime *protoTypes.Timestamp,
 ) (bool, error) {
 	msgSet := sourcehub.MsgSet{}
+
+	var newActorRelationship *acptypes.Relationship
+	if targetActor == "*" {
+		newActorRelationship = acptypes.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = acptypes.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	cmdMapper := msgSet.WithBearerPolicyCmd(&acptypes.MsgBearerPolicyCmd{
-		Creator:     a.signer.GetAccAddress(),
-		BearerToken: requester.BearerToken,
-		PolicyId:    policyID,
-		Cmd: acptypes.NewSetRelationshipCmd(
-			acptypes.NewActorRelationship(
-				resourceName,
-				objectID,
-				relation,
-				targetActor,
-			),
-		),
+		Creator:      a.signer.GetAccAddress(),
+		BearerToken:  requester.BearerToken,
+		PolicyId:     policyID,
+		Cmd:          acptypes.NewSetRelationshipCmd(newActorRelationship),
 		CreationTime: creationTime,
 	})
 	tx, err := a.txBuilder.Build(ctx, a.signer, &msgSet)
@@ -323,18 +333,28 @@ func (a *acpSourceHub) DeleteActorRelationship(
 	creationTime *protoTypes.Timestamp,
 ) (bool, error) {
 	msgSet := sourcehub.MsgSet{}
+
+	var newActorRelationship *acptypes.Relationship
+	if targetActor == "*" {
+		newActorRelationship = acptypes.NewAllActorsRelationship(
+			resourceName,
+			objectID,
+			relation,
+		)
+	} else {
+		newActorRelationship = acptypes.NewActorRelationship(
+			resourceName,
+			objectID,
+			relation,
+			targetActor,
+		)
+	}
+
 	cmdMapper := msgSet.WithBearerPolicyCmd(&acptypes.MsgBearerPolicyCmd{
-		Creator:     a.signer.GetAccAddress(),
-		BearerToken: requester.BearerToken,
-		PolicyId:    policyID,
-		Cmd: acptypes.NewDeleteRelationshipCmd(
-			acptypes.NewActorRelationship(
-				resourceName,
-				objectID,
-				relation,
-				targetActor,
-			),
-		),
+		Creator:      a.signer.GetAccAddress(),
+		BearerToken:  requester.BearerToken,
+		PolicyId:     policyID,
+		Cmd:          acptypes.NewDeleteRelationshipCmd(newActorRelationship),
 		CreationTime: creationTime,
 	})
 

diff --git a/cli/acp_relationship_add.go b/cli/acp_relationship_add.go
@@ -64,6 +64,14 @@ Example: Let another actor (4d092126012ebaf56161716018a71630d99443d9d5217e9d8502
 	--actor did:key:z7r8os2G88XXBNBTLj3kFR5rzUJ4VAesbX7PgsA68ak9B5RYcXF5EZEmjRzzinZndPSSwujXb4XKHG6vmKEFG6ZfsfcQn \
 	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
 
+Example: Let all actors read a private document:
+  defradb client acp relationship add \
+	--collection Users \
+	--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+	--relation reader \
+	--actor "*" \
+	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+
 Example: Creating a dummy relationship does nothing (from database perspective):
   defradb client acp relationship add \
 	-c Users \

diff --git a/client/db.go b/client/db.go
@@ -113,7 +113,9 @@ type DB interface {
 	// If failure occurs, the result will return an error. Upon success the boolean value will
 	// be true if the relationship already existed (no-op), and false if a new relationship was made.
 	//
-	// Note: The request actor must either be the owner or manager of the document.
+	// Note:
+	// - The request actor must either be the owner or manager of the document.
+	// - If the target actor arg is "*", then the relationship applies to all actors implicitly.
 	AddDocActorRelationship(
 		ctx context.Context,
 		collectionName string,
@@ -128,7 +130,10 @@ type DB interface {
 	// be true if the relationship record was found and deleted. Upon success the boolean value
 	// will be false if the relationship record was not found (no-op).
 	//
-	// Note: The request actor must either be the owner or manager of the document.
+	// Note:
+	// - The request actor must either be the owner or manager of the document.
+	// - If the target actor arg is "*", then the implicitly added relationship with all actors is
+	//   removed, however this does not revoke access from actors that had explicit relationships.
 	DeleteDocActorRelationship(
 		ctx context.Context,
 		collectionName string,

diff --git a/docs/website/references/cli/defradb_client_acp_relationship_add.md b/docs/website/references/cli/defradb_client_acp_relationship_add.md
@@ -30,6 +30,14 @@ Example: Let another actor (4d092126012ebaf56161716018a71630d99443d9d5217e9d8502
 	--actor did:key:z7r8os2G88XXBNBTLj3kFR5rzUJ4VAesbX7PgsA68ak9B5RYcXF5EZEmjRzzinZndPSSwujXb4XKHG6vmKEFG6ZfsfcQn \
 	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
 
+Example: Let all actors read a private document:
+  defradb client acp relationship add \
+	--collection Users \
+	--docID bae-ff3ceb1c-b5c0-5e86-a024-dd1b16a4261c \
+	--relation reader \
+	--actor "*" \
+	--identity e3b722906ee4e56368f581cd8b18ab0f48af1ea53e635e3f7b8acd076676f6ac
+
 Example: Creating a dummy relationship does nothing (from database perspective):
   defradb client acp relationship add \
 	-c Users \

diff --git a/tests/integration/acp.go b/tests/integration/acp.go
@@ -88,7 +88,7 @@ type AddPolicy struct {
 	Policy string
 
 	// The policy creator identity, i.e. actor creating the policy.
-	Identity immutable.Option[identityRef]
+	Identity immutable.Option[identity]
 
 	// The expected policyID generated based on the Policy loaded in to the ACP system.
 	ExpectedPolicyID string
@@ -159,13 +159,13 @@ type AddDocActorRelationship struct {
 	// The target public identity, i.e. the identity of the actor to tie the document's relation with.
 	//
 	// This is a required field. To test the invalid usage of not having this arg, use NoIdentity() or leave default.
-	TargetIdentity immutable.Option[identityRef]
+	TargetIdentity immutable.Option[identity]
 
 	// The requestor identity, i.e. identity of the actor creating the relationship.
 	// Note: This identity must either own or have managing access defined in the policy.
 	//
 	// This is a required field. To test the invalid usage of not having this arg, use NoIdentity() or leave default.
-	RequestorIdentity immutable.Option[identityRef]
+	RequestorIdentity immutable.Option[identity]
 
 	// Result returns true if it was a no-op due to existing before, and false if a new relationship was made.
 	ExpectedExistence bool
@@ -251,13 +251,13 @@ type DeleteDocActorRelationship struct {
 	// The target public identity, i.e. the identity of the actor with whom the relationship is with.
 	//
 	// This is a required field. To test the invalid usage of not having this arg, use NoIdentity() or leave default.
-	TargetIdentity immutable.Option[identityRef]
+	TargetIdentity immutable.Option[identity]
 
 	// The requestor identity, i.e. identity of the actor deleting the relationship.
 	// Note: This identity must either own or have managing access defined in the policy.
 	//
 	// This is a required field. To test the invalid usage of not having this arg, use NoIdentity() or leave default.
-	RequestorIdentity immutable.Option[identityRef]
+	RequestorIdentity immutable.Option[identity]
 
 	// Result returns true if the relationship record was expected to be found and deleted,
 	// and returns false if no matching relationship record was found (no-op).